Do Son 
The FreePBX project has issued an important security advisory addressing two vulnerabilities that pose significant risks to administrators and API-integrated systems. The flaws—CVE-2025-55209 (CVSS 7.3) and CVE-2025-55739 (CVSS 8.6)—have now been patched, and users are strongly urged to update immediately.
The first vulnerability, CVE-2025-55209, is a stored cross-site scripting (XSS) issue found in the User Control Panel (UCP) Contact Manager widget.
According to the advisory, “A stored cross-site scripting (XSS) vulnerability in FreePBX allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript into the system. This code executes in the context of an administrator when they interact with the affected component, leading to session hijacking and potential privilege escalation.”
The problem arises when a UCP user creates a new Group with a malicious JavaScript payload in the name field. The input is not properly sanitized, allowing it to:
- Fire immediately in the UCP session.
- Persist and execute later in the administrative interface (/admin/config.php?display=contactmanager) when an administrator clicks the Private tab and adds a contact.
The second vulnerability, CVE-2025-55739, involves an OAuth private key reuse issue across systems installed from the same FreePBX RPM or DEB package.
The advisory states, “A security issue was identified in which the OAuth private key was identical across multiple systems that installed the same FreePBX RPM or DEB package. This vulnerability could allow an attacker to tamper with JSON Web Tokens (JWTs) and potentially obtain full-scope API access.”
An attacker with access to the shared key could:
- Forge JWT tokens.
- Bypass authentication.
- Gain full access to REST and GraphQL APIs if the api module is enabled.
The patch ensures that each system now generates a unique OAuth key during API module installation, eliminating cross-instance token forgery risks.
For CVE-2025-55209:
- Upgrade to the patched versions immediately.
- Review existing UCP Contact Groups for suspicious entries or injected JavaScript.
For CVE-2025-55739:
- Update the API module to the latest version.
- Regenerate all tokens—old tokens are no longer valid.
- Verify that client applications can request and handle the new tokens.
- Check logs for suspicious activity, such as unauthorized extensions, trunks, or call records.
- Run the fwconsole chown command to ensure proper permissions on updated keys.
- Update the adv_recovery module for compatibility.
Related Posts:
- URGENT: Sangoma FreePBX Warns of Exploit, Urges Immediate Administrator Lockdown
- CRITICAL Zero-Day CVE-2025-57819 in FreePBX Is Under Active Attack (CVSS 10.0)
- Malicious Firefox Extensions Unmasked: Fake Games, VPNs, & Calendar Tools Hijack Traffic, Steal Crypto & OAuth Tokens
- Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
- Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
